back to article Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel's secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration. The biz has already promised to demonstrate a so-called God-mode hack this December, saying they've found a way …

  1. Louis Schreurs BEng

    First

    Let's go hack the x86 world.

    1. Dan 55 Silver badge
      Black Helicopters

      Re: First

      Start here:

      http://localhost:16992/

      http://another.ip.on.your.lan:16992/

      Yep, it's got a web server too. With bugs.

  2. Anonymous Coward
    Anonymous Coward

    Hello: 'Trusted Computing' Model 2.0?

    ....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

  3. Anonymous Coward
    Anonymous Coward

    Embedding an all-powerful backdoor remote management OS on the chips: what could go wrong?

    1. Mark 65 Silver badge

      In years past it would be tin-foil hat territory and it can be equally well assigned to incompetence, but it would seem to be awfully convenient for the various 3 letter agencies out there. More-so if it had been kept under wraps. Will this spell the end of such dual controls or will the World just quietly ignore it whilst updating their status?

  4. Anonymous South African Coward Silver badge

    Quick! Everybody switch over to AMD chop-chop!

    ...as if. Doh.

    1. phuzz Silver badge

      Too late, they have their own version.

      That said, AMD are only putting it in some chips, and aiming it at the enterprise market where it's actually wanted.

      1. whitepines Silver badge
        Facepalm

        Nope. It's in every single chip and increasingly vital to the boot process (well, technically, even now *no* AMD chips will boot without it, it's just that now DRAM setup and other functions are also being moved into the PSP. Can you say "exploits everywhere"?)

    2. Ken Hagan Gold badge

      Re: Everybody switch over to AMD

      I imagine that there *are* people (say, in Russia or China) who *are* now asking whether there is a trusted source of x86-compatible CPUs. And if not, whether there ought to be.

      If these people *aren't* asking that question, they aren't doing their job properly.

      1. elip

        Re: Everybody switch over to AMD

        Actually, Russian government asked this question several years back, passed protectionist legislation, and is now turning to its own CPU designers and fabricators for their systems.

        I can only imagine, China being China, it has already done this several years back.

    3. Mark 65 Silver badge

      The rise of ARM or are they headed that way too?

      1. jbuk1

        I don’t know about all arm platforms but certainly the rpi relies on closed source binary blob for the powervr gpu which is responsible for the actual boot process.

        Yes I did say the gpu.

  5. tony2heads
    Happy

    The year of..

    Minix on the desktop?

    1. Peter2 Silver badge

      Re: The year of..

      It would appear that Intel appreciated the Minix Microkernal design over the monolothic kernal design.

      I look forwards to seeing the next round of the infamous flame war with great dread.

      1. Mpeler
        Black Helicopters

        Re: The year of.. the magic word

        WOMIX won't work anymore, you have to throw the battery at the dwarf with the hatchet and then type in MINIX or XINIM.

        You are in a maze of twisty passages that all look alike.....

  6. Christian Berger Silver badge

    Increasingly security is about not doing stupid things...

    ... and having a separate system designed to circumvent security boundaries which is enabled by default.

    Seriously, if you make any system more complex, it'll be less secure.

    1. Christian Berger Silver badge

      damn posted to early, it should be

      ..having a separate system designed to circumvent security boundaries which is enabled by default is certainly a stupid thing.

      1. Ole Juul Silver badge

        Re: damn posted to early, it should be

        I do use a separate computer for my privacy needs. It's built with an Intel Pentium 4 511 2.80GHz 533 and a 915GEV motherboard. Actually it's surprisingly fast for what is 12 year old technology. It makes me think that for most use cases, there's not much gain in running the latest CPUs.

        1. AJ MacLeod

          @Ole Juul

          And as a bonus, you don't need your central heating on while the P4 is running...

          1. Ole Juul Silver badge

            Re: @Ole Juul

            That is indeed a bonus in an area where it's below freezing for more than half the year. A few hundred watts in computer usage gives me better value than the other electric heaters around here.

        2. Alan Brown Silver badge

          Re: damn posted to early, it should be

          You know the I915 chipset has this too, don't you?

  7. DougS Silver badge
    FAIL

    Minix? Seriously??

    Apple's secure enclave runs the L4 microkernel, which has been formally verified. Intel's supposedly-secure management engine runs a 30 year old OS used for teaching that has never had any sort of security evaluation.

    Yeah, that makes sense. I would have assumed it ran some sort of microkernel that's at least been designed for embedded use!

  8. Dan 55 Silver badge

    Read the open letter righr till the end

    The bit at the end is the important part. It says earlier versions of MINIX were designed for education, later versions for availability, and none were designed for "military grade security".

    Intel took a copy of an earlier version. The creator of MINIX hopes that Intel did security hardening on it in addition to the changes that Intel asked him to make to the source code.

    1. Charles 9 Silver badge

      Re: Read the open letter righr till the end

      Interesting they used this and didn't consider switching to say seL4 which is also a microkernel but also formally proven. Might it be because of DMA needs?

      1. elip

        Re: Read the open letter righr till the end

        What is the fascination with formally verified software all of a sudden? It means nothing in the real world. Many commercial TCP/IP stacks have been formally verified, almost all have suffered serious security issues (many found by Michal Zalewski). WPA2 was also formally verified, and we now see how that worked out in the real world. Lots of software also happens to fully pass their test suites, before we start exploiting it. ;-) Save your money, skip the formal verification, and focus on simplicity.

        1. Mark 65 Silver badge

          Re: Read the open letter righr till the end

          The fascination with formally verified software is likely that it is at least one step better than not verified in any way shape or form software. Sure the former could have flaws and the latter none but I know which way around I'd bet.

  9. Anonymous Coward
    Anonymous Coward

    Intel - the hardware retail arm of the NSA

    Trust is broken

    1. bombastic bob Silver badge
      Big Brother

      Re: Intel - the hardware retail arm of the NSA

      well, there's now a linux version that disables it [so they say].

      I expect that requiring physical access to the machine is enough, for the moment, but I'm still concerned about any on-board network adaptor being connected in ANY way to the outside world.

      Keep in mind, IPv6 exposes EVERYONE to the intarwebs, because (virtually) all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC. If your NIC can be cracked using an exposed port, in ANY way, because of the "management engine", we are all in one huge sorry state as far as security goes...

      I am not aware as to whether Intel's "management protocol" can withstand intarweb routing. Most likely it can withstand WIFI routing, and possibly a spoof of some layered protocol if you're using a VPN. Sniffing any kind of SSL would be extremely difficult, but not impossible, especially if your network is being monitored. The odds of this crack being successful WITHOUT physical machine access is PROBABLY small. HOWEVER, I wouldn't trust it anyway, so maybe I should stick with "the earlier architecture".

      1. Norman Nescio Silver badge

        Claim: all IPv6 addresses are *PUBLIC*

        ...all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC

        Ahem. You might want to look into IPv6 link-local and IPv6 unique-local addresses (not the deprecated site-local as I originally wrote).

        Firewalling networks is also (as you imply) generally a good idea. IPv6 capable IoT devices directly connected to the Internet need to handle things differently, which is a whole other story.

        Note that all IPv4 addresses are public, that is, they are all known, it's just that some are defined by the rules as unroutable on the public Internet, and most ISPs enforce that by filtering. IPv6 local addresses are similarly defined as unroutable on the public Internet, but unlike IPv4 non-routable addresses, IPv6 local addresses have the capability of having good chance of being globally unique, unlike, say 192.168.1.1 or 169.254.1.1.

        1. Anonymous Coward
          Anonymous Coward

          Re: Claim: all IPv6 addresses are *PUBLIC*

          > Note that all IPv4 addresses are public ...

          Bombastic Bob is probably talking about home routers generally using NAT for IPv4, which didn't originally have an equivalent for IPv6. Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic.

          1. Charles 9 Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            You don't need NAT for IPv6. Heck, it's generally not needed given the address space. You just need the firewall, and I don't recall firewalls going away with IPv6, not even on home routers, unless you can prove otherwise.

            1. Justin Clift

              Re: Claim: all IPv6 addresses are *PUBLIC*

              > You just need the firewall, and I don't recall firewalls going away with IPv6, not even on home routers, unless you can prove otherwise.

              It would be great if it was that simple. :)

              Home routers are often used by people with no real knowledge of computers/IT. They have no understanding of TCP, let alone what the heck a "port" is. So getting them to (correctly) configure a firewall for their new something-they-just-plugged-into-the-network isn't really practical.

              Some home routers have a GUI which lets people select a protocol (eg HTTPS) for a device, and can build a basic firewall based on that. That definitely helps. But it's not a real solution to the problem, as many devices use non-standard ports, and the end user won't have a clue what to do.

              NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.

              1. Charles 9 Silver badge

                Re: Claim: all IPv6 addresses are *PUBLIC*

                Home router issues don't go away with IPv6. That's why uPnP exists for better or worse because the computer illiterate want to use their stuff, the Internet is not built around hand-holding, and the security/ease-of-use dichotomy prevents a happy medium. You simply can't fix Stupid, but Stupid outvotes you, so you can't tell them to stay off the Internet.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Claim: all IPv6 addresses are *PUBLIC*

                  I still don't understand why, when IPv6 is eventually the norm that I wouldn't still sit my LAN as IPv4 sat behind an outwardly facing IPv6 NATed router/modem? Just because IPv6 will be everywhere does not mean it needs to be used on a home LAN.

                  1. Charles 9 Silver badge

                    Re: Claim: all IPv6 addresses are *PUBLIC*

                    Simple. To talk to an IPv6 Internet, you need an IPv6 stack, period. There's just no physical way to cram 128 bits into 32 bits of space without something giving. Since you'll already have the IPV6 stack...

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Claim: all IPv6 addresses are *PUBLIC*

                      Simple. To talk to an IPv6 Internet, you need an IPv6 stack, period. There's just no physical way to cram 128 bits into 32 bits of space without something giving. Since you'll already have the IPV6 stack...

                      You have heard of tunneling IPv6 over IPv4, haven't you? ;)

                      Around these parts, we've already had to deal with blocking that as muppets discovered it and were using it to get around blocks, rules and regulations.

              2. waldo kitty
                Boffin

                Re: Claim: all IPv6 addresses are *PUBLIC*

                NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.

                this! i wish i could give you more thumbs-ups but...

            2. Anonymous Coward
              Anonymous Coward

              Re: Claim: all IPv6 addresses are *PUBLIC*

              You don't need NAT for IPv6. Heck, it's generally not needed given the address space.

              It isn't a matter of needing NAT. It is a matter of being no one's business how many systems we have connected to our networks and using services on/over the Internet. NAT allows for multiple systems to use the connection of one system without exposing their private parts to the world+dog. IPv6, by design, leaves your privates exposed for any dog to come sniffing about.

          2. bombastic bob Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            "generally using NAT for IPv4"

            yes (and the rest, mostly yes).

            Sure, there's a spec for IPv6 NAT somewhere, but I'm not aware of it actually being used. I rely on a firewall blocking 'incoming' traffic from "teh intarwebs" on specific ports that are well known, like 139, 445, 6000, yotta yotta and those ports that Winders machines INSIST on listening on "*" to... [because the coders were TOO LAZY to bind it to localhost]

          3. Alan Brown Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            "Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic."

            As long as they apply the _same_ firewalling rules on IPv6 as on IPv4 (ie, all incoming blocked by default, etc) then there's no major issue.

            There are of home routers which mirror the IPv4 rules to IPv6 by default.

        2. bombastic bob Silver badge
          Meh

          Re: Claim: all IPv6 addresses are *PUBLIC*

          "You might want to look into IPv6 link-local and IPv6 unique-local addresses (not the deprecated site-local as I originally wrote)."

          thanks for the nit-pickiness. Of course, not THOSE. Duh.

      2. Anonymous Coward
        Anonymous Coward

        Re: Intel - the hardware retail arm of the NSA

        It always makes me laugh the amount of downvotes for questioning the default security implications of IPv6, it's like going into a group of knife jugglers and saying "it's a bit dangerous" and getting "of course it's not dangerous we are all professionals!!".

        IPv6 for the average user is less secure than 4 for the simple reason very few people had their PC on a public v4 IP or relied solely on the internal firewall, in fact must internet users couldn't tell you if they are running a correctly configured firewall or have ever allowed software to drill through that.

        I like a router with a firewall, blacklist, whitelist, maybe a bit of traffic shaping, logging etc and you bunch of knife jugglers can do as you please, blindfolded.

        Ooh I mentioned the downvote, we know what comes next! frankly I couldn't give a shit and have just about forgotten what I used to come to this site for...

        1. Jamie Jones Silver badge

          Re: Intel - the hardware retail arm of the NSA

          uPnp?

          If a home users setup is less secure by default under IPv6 than IPv4, the problem is with their router, not IPv6.

        2. JLV Silver badge

          Re: Intel - the hardware retail arm of the NSA

          what's a good consumer-grade router than comes, or can take, the better open source router OSs?*

          * skipping on DD-WRT - DD-WRT itself is really nice, but their website is utterly confusing as to what build might be expected not to be brick your particular router. I'll confess a lack of comfort at playing around blindly with something that controls your internet access - even if it's not permanently damaged, googling how to fix your corrupted router can be problematic.

          1. Anonymous Coward
            Anonymous Coward

            Re: Intel - the hardware retail arm of the NSA

            I wasn't sure either; so, I did a Google search on "openbsd 6.2 PF on routers" and there are many sources there. Google also has some suggestions with that search that might be more specific to your question.

  10. Phil O'Sophical Silver badge
    FAIL

    PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces

    Permanent, non-airgappable access to an internal chip-level hardware debug interface via an external port. What a monumentally stupid idea.

    1. Anonymous Coward
      Anonymous Coward

      Genius move by our Overlords

      Loads of great reasons for this little beauty to exist... some extinction level event the Overlords didn't want anyone to know about like an impending asteroid strike, discovery of a real alien invasion, to stop rogue AIs using CPUs like neurons to take over the world, or to rewrite history to their liking...

    2. Dan 55 Silver badge
      Facepalm

      I just read Wikipedia's entry on the ME.

      The thing can execute Java as well.

      1. Ken Hagan Gold badge

        At least Java was designed to be sandbox-able.

        1. Charles 9 Silver badge

          But they didn't design Java's sandbox to be impossible to escape, meaning it's nothing more than a speed bump.

  11. Anonymous South African Coward Silver badge

    Trolled a bit through older articles and found these :

    https://www.theregister.co.uk/2017/09/26/intel_management_engine_exploit/

    https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/

    Any more articles on this lovely backdoor?

    1. Doctor Syntax Silver badge

      "Any more articles on this lovely backdoor?"

      Keep watching. It looks like the sort of gift that keeps on giving.

  12. Ben1892

    I found this video particularly enlightening/scary; https://www.youtube.com/watch?v=iffTJ1vPCSo

    TLDW;

    IME is the tip of the iceberg, AMD isn't safe either, extensible firmware is the wrong way forward, you need to shred your motherboard and buy something with open source Linux firmware.

    You can try and neuter ME but you might need a hardware programmer see me_cleaner for details https://github.com/corna/me_cleaner

    1. whitepines Silver badge

      Neutering the ME won't stop this exploit!

      Time to buy ARM or OpenPOWER, just watch out for the ARM vendors that implement their own version of the ME/PSP....

  13. Will Godfrey Silver badge
    FAIL

    Doh!

    Put that into any spy story and everyone would have said you were being totally unrealistic...

    but that was yesterday.

  14. Norman Nescio Silver badge

    More (old) background information at bleeping computer

    Bleeping computer gives a bit more info, together with a response from Intel when a very similar issue was raised in January:

    Intel CPUs Can Be Pwned via USB Port and Debugging Interface

    I think the news is that some of restrictions mentioned in January have now been worked around. My guess, because I don't read Russian, is that they've managed to avoid needing a key from Intel to turn on the DCI capability.

    For those who don't linke shortened URLs, the blog is here at habrahabr.ru.

    Ahh yes - a swift bit of Google translate and it seems that if DCI is not blocked in BIOS (which is true for many PCs, apparently), then it can be enabled 'on the fly'. They give a mitigation:

    As a protection against such attacks, we recommend activating Boot Guard, checking the DCI activation bit and prohibiting debugging in the IA32_DEBUG_INTERFACE register.

    What could be interesting is if you can execute code on the main processor which could then communicate in a debug session via the XHCI controller with the ME . That would likely have interesting consequences, as it would bypass the need to physically plug something into a USB port. I would imagine some thought has been put in by Intel to prevent precisely that.

  15. Andy The Hat Silver badge

    Tanenbaum?

    Haven't heard that name in years, nice to know he's still going. "Computer Networks" was *the* book I wanted but couldn't afford when I was at university in 1984!

    1. Anonymous Coward
      Anonymous Coward

      Re: Tanenbaum?

      Did you ever have M. J. R. "JR" Roberts ?

      I still have my Tanenbaum :)

    2. Tom 7 Silver badge

      Re: Tanenbaum?

      Operating Systems Design and Implementation - got an old version. Very good book - toying with getting a newer version when my time expansion machine starts working fulltime - currently only works when the kids watch Strickenly.

      Distributed Operating Systems was cool too.

      1. M. Poolman
        Pint

        Re: Tanenbaum?

        Me too! Obviously a few commentards of a certain age on here.

        I often think Andrew Tannenbaum is one of the most overlooked pioneers in computing history and deserves a lot more credit than he gets. IIRC correctly, he never really "got" the open source thing until much too late and MINIX had been eclipsed by Linux.

        Anyway, I'll raise a glass to him

      2. GnuTzu Bronze badge

        Re: Tanenbaum?

        The book that half source code.

        1. Ken Hagan Gold badge

          Re: Tanenbaum?

          "The book that half source code."

          But his source code was far more interesting than most authors' prose.

  16. JimmyPage Silver badge

    Underscores a point I've been making forever ...

    It's all very well promoting FOSS as less likely to have holes because of plain sight oversight. But unless and until you have verified every underlying component - including the logic gates bakes into the silicon - you are still placing your trust in Somebody Elses Work.

    When I was cautioning about trusting CPUs, I envisaged the odd dodgy or undocumented opcode that could escalate privilege, or access processes.

    I have to admit, that cynical as I am, I didn't imagine a hidden OS in the CPU.

    So, how many other chips have hidden depths then ?

    1. M man

      Re: Underscores a point I've been making forever ...

      hidden.........if only

    2. DougS Silver badge

      Re: Underscores a point I've been making forever ...

      Might want to capitalize 'you' there as unless YOU have personally verified every underlying component you are placing your trust in somebody else's work. I think Apple's secure enclave is far more secure than Intel's ME, for a variety of reasons. But I'm still trusting Apple has implemented it in the way they say they have, and Apple is probably trusting the team who formally verified the L4 microkernel they're using (i.e. I doubt they rechecked the verification themselves)

      The world is several centuries past the point where it was possible for someone to verify everything they have or know. Maybe DaVinci was the last who might have. What we instead must trust is that someone will discover when trust is misplaced. It took a while, but someone has discovered that any trust in Intel that the ME was secure was misplaced.

      Hopefully that puts pressure on Intel to fix what has been found, do their own investigation to find/fix things before more are discovered by outsiders and they look even worse, and to consider security as the #1 requirement for the ME going forward. Even if that means revisiting their IMHO terrible ideas of using Minix for it, leaving JTAG connected in production shipments, etc. I think the overall design is so broken they need to start from scratch and design ME v2.0.

      1. Anonymous Coward
        Anonymous Coward

        Re: Underscores a point I've been making forever ...

        "Hopefully that puts pressure on Intel to fix what has been found, do their own investigation to find/fix things before more are discovered by outsiders and they look even worse, and to consider security as the #1 requirement for the ME going forward. Even if that means revisiting their IMHO terrible ideas of using Minix for it, leaving JTAG connected in production shipments, etc. I think the overall design is so broken they need to start from scratch and design ME v2.0."

        I don't think it's possible for security to come first in the IME, simply due to client demands. Remote management is paramount. That's why it's called a management engine. In this case, security gets in the way of management, and there's likely no way to achieve both, and lack of management affects the bottom line more directly than security in this case.

    3. Tomato42 Silver badge
      Boffin

      Re: Underscores a point I've been making forever ...

      The first step in allowing the user to update the firmware to a version he or she had audited is for the firmware to be open source.

      Yes, it's not an end in itself, but it is the first step.

  17. Doctor Syntax Silver badge

    Minix licence

    The FAQ link to the licence on the Minix site, http://www.minix3.org/license.html returns 404 and, according to archive.org has done so for some years. Going back to an older version it is, as the FAQ states, a fairly standard BSD link which requires that binary distributions credit the origin in the documentation. I wonder if Intel do that and if so how conspicuously. A very quick search through the generation 8 datasheet failed to find anything and Tanenbaum himself has recently said that it would have been nice if they'd let him know. Does Intel's use actually abide by the terms of the licence?

    1. bombastic bob Silver badge
      Devil

      Re: Minix licence

      "Does Intel's use actually abide by the terms of the licence?"

      not unless it's a true "creative commons" license. BSD-like and MIT-like licenses usually have copyright requirements where you acknowledge the owner of the original source for your copied or derived work.

      So yeah, it COULD be a license violation, if we had license text to prove it.

      1. Doctor Syntax Silver badge

        Re: Minix licence

        "So yeah, it COULD be a license violation, if we had license text to prove it."

        Put the link I gave into the Wayback mackine, go back a few years and you can read it. The problem isn't finding the licence, the problem's working through the Intel document mountain to see if they do acknowledge it.

        1. Dan 55 Silver badge

          Re: Minix licence

          Just did a Google search site:intel.com +amt +minix, and it doesn't come up with anything relevant.

  18. jms222

    It's the old thing that if you have physical access which now includes to the machine's USB ports the machine is open.

    The other thing that's got completely out of hand is browsers. They are more complicated than operating systems were not long ago. If you run a browser it is best to assume that anything the user running the browser has access to is compromised. (See recent item about ads redirecting the user.)

    As for hypervisors and relying on their relatively shiny CPU features don't get me started.

    1. Paul Crawford Silver badge
      Facepalm

      No to mention the plan for USB access via web browsers, wonder if that would somehow allow the JTAG access? Oh the fun we can look forward to...

  19. CAPS LOCK Silver badge

    Access to the USB ports?

    Plastic Padding* is your friend. It stops the likes of Stuxnet in its tracks.

    * Type Elastic natch.

    1. Brewster's Angle Grinder Silver badge

      Re: Access to the USB ports?

      I found porridge works quite well. (I dropped my phone in it. Cleaning it out was, um, gruelling.)

    2. JLV Silver badge

      Re: Access to the USB ports?

      and its effect on your trusty rodent is...?

  20. x 7 Silver badge

    Minix?

    Wasn't that Tri-Angs 4mm scale version of Scalextric?

    1. Anonymous Coward
      Anonymous Coward

      Tri-ang Minix?

      Minic.

  21. Anonymous Coward
    Anonymous Coward

    How long has MINIX been on our systems?

    Since Pentium III? Core 2? My i7 4790 (Haswell)? Christ, that's all I need, some as*hole waking up my computer via LAN, booting his own OS, installing ransomware and f*cking off.

    1. Anonymous Coward
      Anonymous Coward

      Re: How long has MINIX been on our systems?

      "At its inception in 2006, the ME was reportedly located on the MCH (northbridge), but when that became integrated into the CPU beginning with Nehalem, ME was moved to the PCH (current-day “southbridge”). "

      http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html

      Worldwide kill/modify switch?

      1. Anonymous Coward
        Anonymous Coward

        Re: How long has MINIX been on our systems?

        Intel Microprocessor Guide - pre-2009

        https://www.intel.com/pressroom/kits/quickrefyr.htm

    2. GreenReaper

      Re: How long has MINIX been on our systems?

      Skylake. There was ME before, but it was on a different architecture.

      The recent vulnerability announcement refers to Skylake and above.

  22. Anonymous Coward
    Anonymous Coward

    Wait when it was reveled that linux could be hacked via USB people here said it's no big deal because you had to have physical access. So why is it that people are not comming to the support of intel since you need physical access to the USB port ?

    https://forums.theregister.co.uk/forum/1/2017/11/07/linux_usb_security_bugs/

    1. Aitor 1 Silver badge

      Hacking the processor

      The horrible thing here is that you essentially hack the processor.. not the OS. So no defense is possible as of now.

      they should have never included this in the processor.. it is horrible.

      1. stephanh Silver badge

        Re: Hacking the processor

        I think it is great. If you favorite hat color is black.

        Think about the possibilities.

        1. Malicious website uses social engineering tricks to let user grant it WebUSB access.

        2. Using said access, it hacks into a piece of hardware which communicates over USB protocol but which may even be a physical part of your computer (e.g. laptop keyboard or touchpad). So nice try that you filled your USB ports with epoxy but it didn't help.

        3. From the compromised device it now hacks back into your computer using the IME vulnerability.

        It doesn't even matter anymore if you run Windows, macOs or Linux!

    2. Androgynous Cupboard Silver badge

      Yeah. I'm just wondering that myself. If you have USB access you can probably also reach the power button, in which case - short of full disk encryption - you're pwned anyway.

      Not sure I buy the hacking model of distributing USB disks with rootkits on them - yes, I've seen Mr Robot - I know that it's possible, but it's a bit specialised and doesn't scale well. Plus, I presume the stick has to be in the drive when the machine boots, no? It's not like if you plug in a USB stick claiming to be a JTAG interface it will somehow magically bypass the OS USB stack and go straight to the lights-out chip. That might fly with firewire but USB has only a single master.

      In short, nice hack and Intel deserve a kick up the arse, but I don't see this being a major risk - unless it works without booting the machine, and with the software-simulated USB over XHCI as someone posited above. Then we're all fucked.

      1. Anonymous Coward
        Anonymous Coward

        Think BadUSB which can attack the baseline controller from the moment the bad device is plugged in, and it can masquerade as practically anything, including the keyboard or mouse needed to work the machine.

        1. DougS Silver badge

          Getting USB connected may not be that difficult

          Imagine if someone could get malware on a USB device that's commonly plugged into computers. Like say an Android phone...

          Or the old standby of getting them to plug a USB key in their computer. Imagine if you knew where a lot of Intel employees went during lunch hour, and dropping a USB key in the parking lot marked "AMD confidential, if found please destroy". Don't think anyone would be dumb enough to check it out?

        2. Androgynous Cupboard Silver badge

          BadUSB (and by extension, the hypothetical rooted android device) both create a dodgy USB device which interacts with the OS to do bad things. I know about that (I've built quite a few USB devices myself). They don't "attack the baseline controller", but act as a keyboard, disk - all normal devices that the OS would expect to see, but programmed in a way to attack the target computer by sending malicious keystrokes etc.

          But this hack requires the USB device to interact with the Intel lights-out chip, not the OS. That was the point I was making: while the OS is running, the OS is in control of all USB communications and would (I believe) have to explicitly allow the device to communicate with the lights out chip. This is because USB is a single-master design, so you cannot have two USB controllers acting on the bus at the same time.

          USB devices report themselves by vendor and product ID, so it's possible that the Intel management chip would intercept any USB devices of a certain type (the described JTAG-to-USB device) and not report them to the OS. Then, this attack would work against a running computer. But that's not what was reported.

  23. M man

    This is bad right?

    really bad.

    They get your processor and your network cards.........

    a hardware level exploit that can communicate with the outside world!

    could this be combined with badusb?

  24. Natalie Gritpants

    I wonder if SCO thinks they have patents/copyright on stuff in Minix?

  25. Alistair Silver badge
    Windows

    Urrr

    I still have a box of blue 768Mb floppies. 28 of them. And a blue and white binder. With 600 and change pages of source code & commentaries. Cut my teeth on that stuff with an 80286 4.77Mhz from Commodore Canada.

    Thanks Mom.

    (It was a christmas gift. She was building a TI/(something) from a kit she'd bought).

    So it seems I have a decent start on hacking some servers ... I just have to get the floppies copied over to a virtual disk and spin it up in kvm.....

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019